Deployment Architecture

Why is the clustering security key optional?

Communicator

When configuring a cluster, you're given a textbox to provide an optional security key.

The fact that this is an optional field is somewhat worrying. Given a scenario where one isn't provided, this essentially allows anyone to set up a new Search Head from another server, their desktop, etc, and just by knowing the URL of the Cluster Master, bypass any and all account and index security settings set up elsewhere.

Of course, no tool is foolproof, and someone clueless enough will always manage to create giant issues and security holes, but software should at least try to cover the obvious.

Back in the Splunk 4.x days, when setting up a Search Head to search multiple indexers, you would be required to provide an account that existed on the indexers for the SH to authenticate with. Going to an optional security key for a cluster of indexers seems like a step backwards.

Also, no where in the clustering documentation do I see an emphasis placed on the importance of having a good cluster security key. The most I could find was this, on the "Enable the cluster master node" doc page, where it even seems to indicate that leaving it empty is okay.

Security Key. This is the key that authenticates communication between the master and the peers and search heads. The key must be the same across all cluster instances. If you leave the field empty here, leave it empty on the peers and search heads as well.

Tags (3)

Splunk Employee
Splunk Employee

The clustering uses the pass4symkey to authenticate.
This is different from the admin user auth that was used in distributed search.

The problem is that putting a default value is like putting a blank value.
The Value is requested in the UI when you setup the cluster-master, and but you can leave the value blank.

I agree with you, and recommend to put a value to prevent unexpected persons to join your cluster with (a search-head, or a new cluster-slave)

Communicator

I agree with you on the default value part - a default is no better than a blank.

I just feel the importance of this is severely understated in the documentation. Actually, the whole clustering/search head setup in general. A rogue/mis-configured searchhead will undermine your entire security setup.

0 Karma

Splunk Employee
Splunk Employee

I agree, and reported it to the documentation writers to raise the attention in the docs on this setting.

0 Karma